Our Blog

Apparently e-commerce companies are really bad about using open source software with known vulnerabilities. In one industry audit, 83 percent of applications used in online retail are identified as “high” risk for criminals to exploit.

All this according to Black Duck Software, maker of security and compliance products used in open source development. They audited 1,071 open source applications used in business for its 2017 Open Source Security and Risk Analysisreport and found egregious security oversights by the vast majority of online retail portals.

Information superhighway to the danger zone

The open source development model associates readily with reliability, agility, and security, which, for the most part, represents the open source movement in a fairly accurate light. You can save a bunch of money on proprietary licensing and crowd-source a good deal of development, too. Here comes the “big but”—most commercially deployed open source software isn’t as secure as you think.

The vulnerabilities mentioned in the report tie back to PCI DSS compliance, the rules that credit card companies use to govern card payments. Most, if not all, apps marked in the report as “vulnerable” break PCI DSS requirement #6.

Source: pcisecuritystandards.org

Patch and update mandates are required for PCI compliance

Developers that build open source applications do have licensing obligations under the GNU General Public License (GPL). As it pertains to security, under GPL, a developer that modifies and distributes open source software must disclose the modifications before distributing on StackExchange, GitHub, or other channels. This is so recipients know they are working with an altered variant of the original software, making it clear that patch and update procedures may differ from those associated with the original application.

Less than half (45%) of audited open source software complied with GPL rules. Henceforth, a good number of open source “unknowns” wind up in commercial use. These potentiate problems with patch and update procedures; known exploits go unfixed and companies become easy targets.

If you’re looking for a suggestion, check out reputable Red Hat Enterprise Linux (RHEL) middleware JBoss Developer Studio. It is a subscription-based open-source toolset designed for PCI DSS-complaint app development, and publishes security patches and advisories several times a week.

Don’t forget the firewall

Whether you’re hosting an e-commerce domain on your servers or in the cloud you need a business-class firewall for segmenting your network as per PCI DSS compliance. New firewalls and UTMs combine a proxy level of control with the speed of a packet filter.

Two-thirds of open source applications used in business have known vulnerabilities. More than half of those vulnerable apps are rated as “high” severity by the National Institute of Standards and Technology (NIST). They’re not written in obscure languages and frameworks, either—Linux Kernel v.2.6.27.7 and PHP v. 4.0.0 were the two more frequently identified in the report.